Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX 515E to block ip of a subnet

I have a pix

515E and would like to block traffic of certin ip subnets.

I am receiving so many hits from there to my email server SMTP port.

i manually blocked ip

Ex.

125.110.102.86    ip's from china and creating spam on my mail server.

220.190.41.132

insted of each ip i want to block 125.110.0.0 and 220.190.0.0

how can i get this done ?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: PIX 515E to block ip of a subnet

bhavesh20@yahoo.com

thanx for the response jon

i am not alot fimilier with pix but from the web interface (PDM) i added rule like this and its blocking traffic from that ip

access-list acl_out_to_in line 40 extended deny object-group DM_INLINE_SERVICE_1 host 125.110.102.86 any 0x960c8531
  access-list acl_out_to_in line 40 extended deny ip host 125.110.102.86 any (hitcnt=21650) 0x47f4e704
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any (hitcnt=0) 0xe6059313
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any eq smtp (hitcnt=0) 0x7e703e53

what i would like to do is block everything from the ip 125.110.102.0 - 125.110.102.255 all hosts. is it possible ?


access-list acl_out_to_in deny tcp 125.110.102.0 255.255.255.0 any eq smtp

note instead of "any" you could actually put the SMTP server address - it's public IP.

If you want to deny all IP

access-list acl_out_to_in deny ip 125.110.102.0 255.255.255.0 any

but be aware that this will stop all IP connections from that subnet to any of your IP addresses.

Jon

3 REPLIES
Hall of Fame Super Blue

Re: PIX 515E to block ip of a subnet

bhavesh20@yahoo.com

I have a pix

515E and would like to block traffic of certin ip subnets.

I am receiving so many hits from there to my email server SMTP port.

i manually blocked ip

Ex.

125.110.102.86    ip's from china and creating spam on my mail server.

220.190.41.132

insted of each ip i want to block 125.110.0.0 and 220.190.0.0

how can i get this done ?

Not sure what you are asking here.

If you are already blocking certain hosts eg.

access-list outside_in deny tcp host 125.110.102.86 host eq 25

then to block a subnet simply change the first bit of your acl ie.

access-list outside_in deny tcp 125.110.0.0 host eq 25

or have i misunderstood the requirement ?

Jon

Community Member

Re: PIX 515E to block ip of a subnet

thanx for the response jon

i am not alot fimilier with pix but from the web interface (PDM) i added rule like this and its blocking traffic from that ip

access-list acl_out_to_in line 40 extended deny object-group DM_INLINE_SERVICE_1 host 125.110.102.86 any 0x960c8531
  access-list acl_out_to_in line 40 extended deny ip host 125.110.102.86 any (hitcnt=21650) 0x47f4e704
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any (hitcnt=0) 0xe6059313
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any eq smtp (hitcnt=0) 0x7e703e53

what i would like to do is block everything from the ip 125.110.102.0 - 125.110.102.255 all hosts. is it possible ?

Hall of Fame Super Blue

Re: PIX 515E to block ip of a subnet

bhavesh20@yahoo.com

thanx for the response jon

i am not alot fimilier with pix but from the web interface (PDM) i added rule like this and its blocking traffic from that ip

access-list acl_out_to_in line 40 extended deny object-group DM_INLINE_SERVICE_1 host 125.110.102.86 any 0x960c8531
  access-list acl_out_to_in line 40 extended deny ip host 125.110.102.86 any (hitcnt=21650) 0x47f4e704
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any (hitcnt=0) 0xe6059313
  access-list acl_out_to_in line 40 extended deny tcp host 125.110.102.86 any eq smtp (hitcnt=0) 0x7e703e53

what i would like to do is block everything from the ip 125.110.102.0 - 125.110.102.255 all hosts. is it possible ?


access-list acl_out_to_in deny tcp 125.110.102.0 255.255.255.0 any eq smtp

note instead of "any" you could actually put the SMTP server address - it's public IP.

If you want to deny all IP

access-list acl_out_to_in deny ip 125.110.102.0 255.255.255.0 any

but be aware that this will stop all IP connections from that subnet to any of your IP addresses.

Jon

1071
Views
0
Helpful
3
Replies
CreatePlease to create content